I guess the easiest explanation is that a script requires a way to run and a program has been compiled to run. It can sort of stand on its own. Its easier to change a script than it is to change a program. Also you can just dump any old script against a website, it really depends on what is running that site. For instance you can't inject a vbscript if there is no way to tell the webserver to run it. The cogs of the machine determine what tools you use and that comes with clever recon of that site. Much of what is used is used to help the pen tester in launching attacks against the site based on the vulnerabilities that are found, i.e. SQL injection if it is discovered that the site uses an SQL server somewhere in the background to store information. If the site runs PHP, there are ways to determine what versions are in use and run attacks based on known vulnerabilities.
Of course this should only be done with the written consent of the client and you should never use this knowledge to play on sites you don't own.